Re: [spfbis] SPF-checking tool
"Frank Bulk" <frnkblk@iname.com> Thu, 27 February 2020 15:58 UTC
Return-Path: <frnkblk@iname.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCDC3A0BA1 for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 07:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.297
X-Spam-Level:
X-Spam-Status: No, score=-0.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_FAIL=0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iF3ZI_p6pkDO for <spfbis@ietfa.amsl.com>; Thu, 27 Feb 2020 07:58:28 -0800 (PST)
Received: from premieronline.net (mail.premieronline.net [IPv6:2607:fe28:0:4000::10]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73CF3A0BA0 for <spfbis@ietf.org>; Thu, 27 Feb 2020 07:58:27 -0800 (PST)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=199.120.69.4; envelope-from=<frnkblk@iname.com>;
Received: from FBULKPC (unverified [199.120.69.4]) by premieronline.net (SurgeMail 7.4f) with ESMTP id 12508003-1729245 for multiple; Thu, 27 Feb 2020 09:56:10 -0600
From: Frank Bulk <frnkblk@iname.com>
To: 'Stuart D Gathman' <stuart@gathman.org>
Cc: spfbis@ietf.org, 'Scott Kitterman' <sklist@kitterman.com>
References: <000001d5ecb6$106efd90$314cf8b0$@iname.com> <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org>
In-Reply-To: <alpine.LRH.2.21.2002270235340.2087@mail.gathman.org>
Date: Thu, 27 Feb 2020 09:56:09 -0600
Message-ID: <000001d5ed86$6e0b90f0$4a22b2d0$@iname.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdXstTWAX0UO2VeETfGQ8rkT9QwrKgAvbOWAAAIkEGA=
Content-Language: en-us
X-Originating-IP: 199.120.69.4
X-Vpipe: restarted=25 started /var/surgemail/scavs.pl (/var/surgemail/scavs.pl)
X-SpamDetect: : -2.8 sd=-2.8 0.04(X-myrbl:Color=white) 0.74(Received:for multiple) [nnot=1, ng=1, nsum=0, nb=0, nw=1, -6.78]
X-LangGuess: English
X-MyRbl: Color=White (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=40 Friend=0 Surbl=0 Catch=0 r=0 ip=199.120.69.4
X-IP-stats: Incoming Last 0, First 107, in=23547, out=0, spam=0 ip=199.120.69.4
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/5_AqnD40TMBFvHgHTGmfCkeTvvU>
Subject: Re: [spfbis] SPF-checking tool
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 15:58:30 -0000
Perhaps I'm using an old version of that Python script, but here are some examples. My best guess is that the python script stops as soon as it passes the check, but doesn't evaluate the whole record. deerequipment.com: Dmarcian notes "The target name for "include:spf.protection.outlook.com" equals an already evaluated "include" mechanism / "redirect" modifier." visionnetusa.com: Dmarcian notes "Multiple SPF records found for "visionnetusa.com". There should only be one." ghekkonetworks.com: Dmarcian notes "Multiple SPF records found for "ghekkonetworks.com". There should only be one." billtrust.com: Dmarcian notes " A DMARC record was detected under "billtrust.com". DMARC records must be located at "_dmarc.billtrust.com", and not directly at "billtrust.com". If DMARC was set up as a wildcard record, that should be removed and placed only at the domain level." zayo.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF record. The maximum is 10." root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 ip4:66.202.101.250 ip4:65.114.230.67 ip4:64.179.27.250 ip4:64.196.161.5 ip4:13.111.0.0/23 ip4:64.18.0.0/20 ip4:64.151.112.128/28 ip4:64.151.119.32/27 ip4:64.233.160.0/19 ip4:64.235.144.0/20 ip4:66.102.0.0/20 ip4:66.231.95.0/29 ip4:66.249.80.0/20 ip4:67.59.141.128/28 ip4:64.125.230.136/32 ip4:69.43.143.32/27 ip4:69.43.143.96/27 include:spf-0024b301.pphosted.com include:email-od.com include:_spf.salesforce.com include:_spf.google.com include:aspmx.pardot.com include:_spf.q4press.com ~all" 66.202.101.250 postmaster@zayo.com mail.zayo.com result: ('pass', 250, 'sender SPF authorized') ip4:66.202.101.250 root@nagios:/usr/local/bin/spfcheck# nocix.net: Dmarcian notes "16 DNS lookups required to evaluate the SPF record. The maximum is 10." root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 mx a ip4:204.152.38.69/32 ip4:204.152.38.70/32 ip4:204.152.38.77/32 ip4:204.152.38.72/32 a:s101.ndevix.com a:s101.chi.ndevix.com a:s102.ndevix.com a:s105.ndevix.com a:f0.mx.ndevix.com a:f102.mx.ndevix.com include:ndevix.com -all" 204.152.38.87 postmaster@nocix.net mail.nocix.net result: ('pass', 250, 'sender SPF authorized') mx root@nagios:/usr/local/bin/spfcheck# tivo.com: Dmarcian notes: Error! 30 DNS lookups required to evaluate the SPF record. The maximum is 10. Error! SPF record is present, but invalid. root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 include:_spf.tivo.com mx include:authsmtp.com include:stspg-customer.com include:spf.protection.outlook.com include:aspmx.pardot.com include:_spf.centercode.com ~all" 204.176.49.0 postmaster@tivo.com mail.tivo.com result: ('pass', 250, 'sender SPF authorized') include:_spf.tivo.com root@nagios:/usr/local/bin/spfcheck# nex-tech.com: Dmarciate notes: "SPF record is present, but invalid." root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 ip4:208.65.144.0/21 ip4:208.81.64.0/21 ip4:24.225.0.0/25 ip4:24.225.11.128/25 ip4:24.225.12.66 ip4:52.240.150.170 include:amazonses.com a:dispatch-us.ppe-hosted.com include:449074.spf10.hubspotemail.net include:_spf.bigcommerce.com include:azure.quotevalet.com include:spf.protection.outlook.com a -all" 208.65.144.0 postmaster@nex-tech.com mail.nex-tech.com result: ('pass', 250, 'sender SPF authorized') ip4:208.65.144.0/21 root@nagios:/usr/local/bin/spfcheck# atx.com: Dmarcian notes "12 DNS lookups required to evaluate the SPF record. The maximum is 10." root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 include:spf.protection.outlook.com include:aspmx.pardot.com include:salesforce.com -all" 40.92.0.0 postmaster@atx.com mail.atx.com result: ('pass', 250, 'sender SPF authorized') include:spf.protection.outlook.com root@nagios:/usr/local/bin/spfcheck# lewisdrug.com: Dmarciante notes: Error! 13 DNS lookups required to evaluate the SPF record. The maximum is 10. Error! SPF record is present, but invalid. root@nagios:/usr/local/bin/spfcheck# /usr/bin/python spf.py "v=spf1 mx a ip4:216.12.181.71/32 ip4:216.12.181.72/32 include:_spf.google.com include:spf.createsend.com include:_netblocks.mimecast.com ~all" 207.211.30.221 postmaster@lewisdrug.com mail.lewisdrug.com result: ('pass', 250, 'sender SPF authorized') mx root@nagios:/usr/local/bin/spfcheck# Frank -----Original Message----- From: Stuart D Gathman <stuart@gathman.org> Sent: Thursday, February 27, 2020 1:36 AM To: Frank Bulk <frnkblk@iname.com> Cc: spfbis@ietf.org Subject: Re: [spfbis] SPF-checking tool On Wed, 26 Feb 2020, Frank Bulk wrote: > I currently use kitterman's script, but it doesn't catch all the issues that > Dmarcian does and so there's a number of domains that have issues but I'm > not alerting on them. Dmarcian doesn't appear to have an API or downloadable > version of their tool that I can run. Are you checking DMARC, or SPF? If SPF, can you give an example of an incorrect policy that is not flagged?
- [spfbis] SPF-checking tool Frank Bulk
- Re: [spfbis] SPF-checking tool Scott Kitterman
- Re: [spfbis] SPF-checking tool Stuart D Gathman
- Re: [spfbis] SPF-checking tool Frank Bulk
- Re: [spfbis] SPF-checking tool Stuart D Gathman
- Re: [spfbis] SPF-checking tool Frank Bulk
- Re: [spfbis] SPF-checking tool Frank Bulk
- Re: [spfbis] SPF-checking tool Frank Bulk
- Re: [spfbis] SPF-checking tool Stuart D Gathman
- Re: [spfbis] SPF-checking tool John Levine
- Re: [spfbis] SPF-checking tool Frank Bulk